{"id":1347,"date":"2026-05-15T17:09:39","date_gmt":"2026-05-15T14:09:39","guid":{"rendered":"https:\/\/www.asenalu.com\/?page_id=1347"},"modified":"2026-05-21T12:04:30","modified_gmt":"2026-05-21T09:04:30","slug":"asen-aluminyum-kisisel-verilerinkorunmasi-politikasi","status":"publish","type":"page","link":"https:\/\/www.asenalu.com\/en\/asen-aluminyum-kisisel-verilerinkorunmasi-politikasi\/","title":{"rendered":"Personal Data Protection Policy"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Ki\u015fisel VerilerinKorunmas\u0131 Politikas\u0131<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

1. PURPOSE<\/h3>

The right of every individual to request the protection of personal data about him\/her is a fundamental\nright arising from the Constitution. As ASEN ALUMINUM INDUSTRY AND TRADE INC. ("ASEN"), we\nconsider fulfilling the requirements of this right as one of our most valuable duties. For this reason, we\nattach importance to the processing and protection of your personal data in accordance with the law.<\/p>

As a result of the importance we attach to the protection of personal data, the Corporate Personal\nData Protection Policy has been prepared to determine the principles and procedures we apply while\nprocessing and protecting personal data.<\/p>

2. SCOPE<\/h3>

The Policy covers all kinds of operations performed on all personal data managed by ASEN, such as\nobtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over,\nmaking available, classifying or preventing the use of all personal data data by fully or partially\nautomatic means or non-automatic means provided that it is a part of any data recording system.<\/p>

The Policy is related to all processed personal data of ASEN's partners, executives, customers,\nemployees, supplier officials and employees and third parties.<\/p>

ASEN may amend the Policy in order to comply with the legislation and the decisions of the Personal\nData Protection Authority and to better protect personal data.<\/p>

3. DEFINITIONS<\/h3>
Abbreviation<\/th>Definition<\/th><\/tr><\/thead>
Buyer Group<\/strong><\/td>The category of natural or legal person to whom personal data is transferred\n\nby the data controller.<\/td><\/tr>
Explicit Consent<\/strong><\/td>Consent regarding a specific subject, based on information and expressed\n\nwith free will.<\/td><\/tr>
Anonymization<\/strong><\/td>Making personal data incapable of being associated with an identified or\nidentifiable natural person in any way, even by matching it with other data.<\/td><\/tr>
Data Subject<\/strong><\/td>The natural person whose personal data is processed.<\/td><\/tr>
Relevant User<\/strong><\/td>Except for the person or unit responsible for the technical storage, protection\nand backup of data, they are the persons who process personal data within\nthe data controller organization or in line with the authorization and\ninstruction received from the data controller.<\/td><\/tr>
Destruction<\/strong><\/td>Deletion, destruction or anonymization of personal data.<\/td><\/tr>
Law\/KVKK<\/strong><\/td>Law No. 6698 on the Protection of Personal Data.<\/td><\/tr><\/tbody><\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n \n \n \n \n \n \n \n \n \n \n \n \n \n
Recording Media<\/strong><\/td>\n \n Any environment where personal data is processed by fully or partially automatic means or by non-automatic means, provided that it is a part of any\ndata recording system.\n <\/td>\n <\/tr>\n\n
Personal Data<\/strong><\/td>\n \n Any information relating to an identified or identifiable natural person.\n <\/td>\n <\/tr>\n\n
Data Inventory<\/strong><\/td>\n \n The personal data processing activities carried out by data controllers\ndepending on their business processes; The inventory they create by\nassociating the purposes and legal reason for processing personal data, the\ndata category, the recipient group to which it is transferred and the data\nsubject group and details the maximum retention period required for the\npurposes for which personal data is processed, the personal data envisaged\nto be transferred to foreign countries and the measures taken regarding data\nsecurity.\n <\/td>\n <\/tr>\n\n
Personal Data\nProcessing<\/strong><\/td>\n \n Any operation performed on personal data such as obtaining, recording,\nstoring, preserving, changing, rearranging, disclosing, transferring, taking\nover, making available, classifying or preventing the use of personal data by\nfully or partially automatic means or non-automatic means provided that it is\na part of any data recording system.\n <\/td>\n <\/tr>\n\n
Commission<\/strong><\/td>\n \n The Personal Data Protection Commission established by ASEN to manage\nthe Policy and other related procedures and to ensure the enforcement of the\nPolicy.\n <\/td>\n <\/tr>\n\n
Board<\/strong><\/td>\n \n Personal Data Protection Board.\n <\/td>\n <\/tr>\n\n
Institution<\/strong><\/td>\n \n Personal Data Protection Authority\n <\/td>\n <\/tr>\n\n
Special Categories of\nPersonal Data<\/strong><\/td>\n \n Data related to race, ethnic origin, political opinion, philosophical belief,\nreligion, sect or other beliefs, appearance, membership to associations,\nfoundations or unions, health, sexual life, criminal convictions and security\nmeasures, and biometric and genetic data.\n <\/td>\n <\/tr>\n\n
Periodic Destruction<\/strong><\/td>\n \n In the event that all of the conditions for processing personal data in the Law\ndisappear, the deletion, destruction or anonymization process specified in\nthe personal data storage and destruction policy and to be carried out ex\nofficio at repeated intervals.\n <\/td>\n <\/tr>\n\n
Policy<\/strong><\/td>\n \n Personal Data Protection Policy\n <\/td>\n <\/tr>\n\n
Data Processor<\/strong><\/td>\n \n A natural or legal person who processes personal data on behalf of the data\n\ncontroller based on the authority granted by the data controller.\n <\/td>\n <\/tr>\n\n
Data Controller<\/strong><\/td>\n \n A natural or legal person who determines the purposes and means of\nprocessing personal data and is responsible for the establishment and\nmanagement of the data recording system.\n <\/td>\n <\/tr>\n <\/tbody>\n<\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

4. GENERAL PRINCIPLES<\/h3>

ASEN checks the compliance of the data to be processed in the preparation phase of each workflow
that requires new personal data processing with the following principles. Workflows that are not\neligible will not be implemented.<\/p>

While ASEN processes personal data;<\/p>

  1. It obeys the law and the rules of honesty.<\/li>
  2. It makes sure that personal data is accurate and up-to-date when necessary.<\/li>
  3. It pays attention to the fact that the purpose of processing is specific, clear and legitimate.<\/li>
  4. It checks that the processed data is related to the purpose of processing, that it is processed as
    limited to the extent that it should be processed, and that it is proportionate.<\/li>
  5. It retains the data only as long as it is stipulated in the relevant legislation or necessary for the
    purpose of processing, and destroys it when the purpose of processing disappears.<\/li><\/ol>

    5. DUTIES AND RESPONSIBILITIES<\/h3>

    The Personal Data Protection Commission has been established within ASEN in order to manage this
    Policy and other related procedures regarding the processing of personal data and to ensure the
    enforcement of the Policy. The General Manager represents the Commission as the chairman and the
    members are department managers. In addition, ASEN also receives KVKK consultancy support in order
    to comply with the Personal Data Protection Law No. 6698 when necessary. If the commission deems it
    necessary, it may also invite KVKK consultants and professional experts to its meetings.<\/p>

    The duties and responsibilities of the Commission are stated below.<\/p>

    1. It convenes annually under normal circumstances. If conditions require it, extraordinary meetings
      can be held (for example, in the event of a possible data breach).<\/li>
    2. Discusses the issues that need to be changed\/improved in the Policy.<\/li>
    3. It determines the issues that can be fulfilled in order to process and protect personal data in\naccordance with the law.<\/li>
    4. The Commission determines the steps that can be taken to increase KVKK awareness within the\ncompany and among its business partners.<\/li>
    5. It identifies the risks that may be encountered in the processing and protection of personal data
      and takes the necessary administrative and technical measures.<\/li>
    6. It provides contact with the institution and manages the relations.<\/li>
    7. It evaluates the requests from the data subject.<\/li>
    8. It follows the periodic destruction processes.<\/li>
    9. Updates the Data Inventory.<\/li>
    10. It makes assignments regarding the above-mentioned issues.<\/li><\/ol>

      6. MEASURES TAKEN FOR DATA SECURITY<\/h3>

      ASEN takes all necessary technical and administrative measures to ensure the appropriate
      level of\nsecurity in order to prevent the unlawful processing of personal data, to prevent unlawful access
      to personal data, and to ensure the protection of personal data.<\/p>

      6.1. Within the scope of the technical measures recommended by the Personal Data Protection\nAuthority;<\/h3>

      a) Ensuring Cybersecurity<\/h4>
      • Priority measures that can be taken to protect information technology systems containing\npersonal
        data against unauthorized access threats over the internet,<\/li>
      • Ensuring that access to systems containing personal data is also limited, Employees are given
        limited access authority and access to the relevant systems by using username and
        password,<\/li>
      • To protect against malware, it is also necessary to use products such as antivirus, antispam, which
        regularly scan the information system network and detect dangers.<\/li><\/ul>

        b) Monitoring Personal Data Security<\/h4>
        • In order to prevent and prevent information processing systems from being exposed to both\ninternal
          and external attacks and cybercrime or malware;<\/li>
        • Checking which software and services are running in information networks.<\/li>
        • Determining whether there is infiltration in information networks.<\/li>
        • Keeping a record of all users' transaction transactions (such as log records).<\/li>
        • Reporting security issues as quickly as possible.<\/li><\/ul>

          c) Ensuring the Security of Environments Containing Personal Data<\/h4>
          • Ensuring the physical security of devices containing personal data (laptop, mobile phone, flash\ndisk,
            etc.) that may experience personal data security breaches,<\/li>
          • Sending personal data to be transferred by e-mail or mail by taking adequate precautions.<\/li>
          • In order to ensure the security of personal data, the protection of devices such as paper
            documents, servers, backup devices, CDs, DVDs and USBs containing personal data in\nsections\/rooms
            with access authorization restrictions with additional security measures.<\/li>
          • Taking measures such as keeping these areas under lock and key when not in use and keeping
            entry and exit records.<\/li><\/ul>

            d) Storage of Personal Data in the Cloud<\/h4>
            • Managing the risks associated with the processing of personal data by cloud storage service\nproviders.<\/li>
            • Evaluation and approval by the data controller whether the security measures taken by the cloud
              storage service provider are sufficient and appropriate.<\/li>
            • In this context, knowing in detail what personal data is stored in the cloud, backing it up, ensuring
              synchronization and practicing authentication control.<\/li><\/ul>

              e) Backup of Personal Data<\/h4>
              • Ensuring that backed-up personal data is only accessible to the system administrator.<\/li>
              • Data set backups must be kept out of the network.<\/li>
              • Taking measures against the use of malware on data set backups.<\/li>
              • Ensuring the physical security of all backups.<\/li><\/ul><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                \n\t\t\t\t
                \n\t\t\t\t\t\t\t\t\t

                f) Information Technology Systems Supply, Development and Maintenance<\/h4>\n\n
                  \n
                • \n If the devices sent to third institutions such as manufacturers, sellers, and services contain\npersonal data because they are defective or due for maintenance, ensuring the security of\npersonal data before sending these devices for maintenance and repair.\n <\/li>\n\n
                • \n Dismantling and storing the data storage media on the devices.\n <\/li>\n\n
                • \n Performing operations such as sending only defective parts.\n <\/li>\n\n
                • \n If personnel have come from outside for purposes such as maintenance and repair, preventing\nthem from copying personal data and taking them out of the institution.\n <\/li>\n<\/ul>\n\n\n

                  g) Regarding the Need for the Implementation of These Technical Measures, ASEN implements the\nfollowing technical measures;<\/h4>\n\n
                    \n
                  • Authority Matrix Procedure.<\/li>\n\n
                  • Authority Control Procedure.<\/li>\n\n
                  • Access Logs Practice.<\/li>\n\n
                  • User Account Management Procedure.<\/li>\n\n
                  • Network Security Management.<\/li>\n\n
                  • Application Security Management.<\/li>\n\n
                  • Encryption Management.<\/li>\n\n
                  • Log Records Procedure.<\/li>\n\n
                  • Data Masking Procedure.<\/li>\n\n
                  • Backup Management.<\/li>\n\n
                  • Up-to-date Anti-Virus Systems Management.<\/li>\n\n
                  • Delete, Destroy, or Anonymize Procedure.<\/li>\n<\/ul>\n\n\n

                    6.2. Within the scope of the Administrative Measures Recommended by the Personal Data\nProtection Authority;<\/h3>\n\n

                    a) Identification of Existing Risks and Threats<\/h4>\n\n
                      \n
                    • \n What all personal data processed by the data controller are in order to ensure the security of\npersonal data,\n <\/li>\n\n
                    • \n Accurately determining the probability of occurrence of risks that may arise regarding the\nprotection of this data and the losses that will be caused in case of occurrence,\n <\/li>\n\n
                    • \n Appropriate measures must be taken.\n <\/li>\n<\/ul>\n\n\n

                      b) Employee Training and Awareness Activities<\/h4>\n\n
                        \n
                      • \n To receive training on issues such as not to disclose and share personal data unlawfully.\n <\/li>\n\n
                      • \n Conducting awareness activities for employees and creating an environment where security risks\ncan be identified, ensuring personal data security.\n <\/li>\n\n
                      • \n Roles and responsibilities regarding personal data security should be determined in job\ndescriptions and employees should be aware of their roles and responsibilities in this regard.\n <\/li>\n\n
                      • \n Acting in accordance with the principle of "Everything is Prohibited Unless Allowed" when granting\naccess to environments containing personal data.\n <\/li>\n\n
                      • \n Determination of Personal Data Security Policies and Procedures\n <\/li>\n\n
                      • \n Reducing Personal Data as Much as Possible\n <\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                        \n\t\t\t\t
                        \n\t\t\t\t\t\t\t\t\t
                        • Management of Relations with Data Processors<\/li><\/ul>

                          Regarding the Need to Implement These Administrative Measures, ASEN implements the following\nadministrative measures;<\/p>

                          • Preparation of Personal Data Processing Inventory<\/li>
                          • Corporate Policies (Antivirus, E-Mail, Physical Security, Backup, etc.)<\/li>
                          • Contracts (Data Controller-Data Controller, \/ Data Controller - Data Processor Confidentiality
                            Commitments, etc.)<\/li>
                          • In-House Periodic and\/or Random Audits<\/li>
                          • Risk Analysis<\/li>
                          • Employment Contract, Disciplinary Regulation (Addition of Provisions in Accordance with the Law,\netc.)<\/li>
                          • Corporate Communication (Crisis Management, Board and Data Subject Notification Processes,\netc.)<\/li>
                          • Training and Awareness Activities (Information Security and Law)<\/li>
                          • Notification to the Data Controllers Registry Information System (VERBIS)<\/li><\/ul>

                            7. RIGHTS OF THE DATA SUBJECT REGARDING PERSONAL DATA<\/h3>

                            The data subject can apply to ASEN and make a request on the following issues:<\/p>

                            1. To learn whether their personal data is processed,<\/li>
                            2. Requesting information if personal data has been processed,<\/li>
                            3. To learn the purpose of processing personal data and whether they are used in accordance with\ntheir purpose,<\/li>
                            4. To learn the third parties to whom their personal data is transferred domestically or abroad,<\/li>
                            5. To request correction of personal data in case of incomplete or incorrect processing and to\nrequest
                              notification of the transaction made in this context to third parties to whom personal data has\nbeen transferred,<\/li>
                            6. Although it has been processed in accordance with the provisions of the KVKK and other relevant
                              laws, to request the deletion, destruction or anonymization of personal data in case the reasons
                              requiring its processing disappear and to request that the transaction made in this context be
                              notified to third parties to whom their personal data has been transferred,<\/li>
                            7. To object to the emergence of a result against the processed data by analyzing it exclusively
                              through automated systems,<\/li>
                            8. To request compensation for the damage in case of damage due to unlawful processing of
                              personal data.<\/li><\/ol>

                              8. VIOLATION NOTIFICATIONS<\/h3>

                              ASEN employees report to the Commission any work, action or fact that they think violates the
                              provisions of the KVKK and\/or the Policy. The Commission convenes after this violation notification if it
                              deems necessary and creates an action plan regarding the violation.<\/p>

                              If the violation has occurred through the unlawful acquisition of personal data by others, the
                              Commission notifies the data subject and the Board within 72 hours within the scope of the Board's
                              decision dated 24.01.2019 and numbered 2019\/10.<\/p>

                              9. CHANGES<\/h3>

                              Changes to the policy are prepared by the Commission and submitted to the approval of the
                              Board of Directors. The updated Policy can be sent to employees via e-mail or published on the
                              website.<\/p>

                              10. REFERENCE DOCUMENTS<\/h3>

                              Law No. 6698 on the Protection of Personal Data and other legislation<\/p>

                              11. EFFECTIVE DATE<\/h3>

                              This version of the Policy was approved by the ASEN Board of Directors on 10.02.2026 and entered
                              into force.<\/p>

                              H. GOKHAN ASLAN<\/strong>
                              General Manager<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

                              Ki\u015fisel VerilerinKorunmas\u0131 Politikas\u0131 1. AMA\u00c7 Her bireyin kendisi ile ilgili ki\u015fisel verilerin korunmas\u0131n\u0131 isteme hakk\u0131 Anayasa\u2019dan do\u011fan kutsal bir hakt\u0131r. ASEN AL\u00dcM\u0130NYUM […]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1347","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/pages\/1347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/comments?post=1347"}],"version-history":[{"count":29,"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/pages\/1347\/revisions"}],"predecessor-version":[{"id":1413,"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/pages\/1347\/revisions\/1413"}],"wp:attachment":[{"href":"https:\/\/www.asenalu.com\/en\/wp-json\/wp\/v2\/media?parent=1347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}